Certificate reference: DPA/S27/GCHQ 


SECTION 27 DATA PROTECTION ACT 2018 


CERTIFICATE OF THE SECRETARY OF STATE 


1. Whereas: 


1.1 


1.2 


By section 26 of the Data Protection Act 2018 ("the Act") it is provided that 
the processing of personal data is exempt from certain provisions ofthe Act 
if the exemption from that provision is required for the purpose of 
safeguarding national security. For information, a full list of these provisions 
is provided at Annex A 


by section 27(1) it is provided that a certificate signed by a Minister of the 
Crown certifying that an exemption from all or any of the provisions 
mentioned in section 26(2) is, or at any time was, required for the purpose of 
safeguarding national security in respect of any personal data shall be 
conclusive evidence of that fact; 


by section 27(2), it is provided that a certificate under section 27(1) may 
identify the personal data to which it applies by means of a general 
description and may be expressed to have prospective effect. 


2. And considering the potentially serious adverse repercussions for the national 
security of the United Kingdom if the exemptions hereafter identified were not 
available. 


3. And for the reasons set out below: 


3.1 


3.2 


3.3 


3.4 


The intelligence services (the Security Service, the Secret Intelligence 
Service and the Government Communications Headquarters), where this is 
necessary in the proper discharge of their respective statutory functions, 
obtain data from and disclose data to organisations that are subject to the 
GDPR and such organisations cooperate with the intelligence services by 
processing data for national security purposes on their behalf. 


The work of the Government Communications Headquarters (GCHQ) 
requires secrecy. 


The general principle of neither confirming nor denying whether the 
intelligence services process data about an individual, or whether others are 
processing personal data for, on behalf of, with a view to assisting, working 
with, or h relation to the functions of the intelligence services is an essential 
part of that secrecy. 


h dealing with requests asserting the rights of data subjects (Part 2, Chapter 
3) under the Data Protection Act 2018, the controller will examine each 
individual request to determine, after consultation with GCHQ: 


i) whether adherence to that general principle is required for the 
purpose of safeguarding national security; and 


ii) in the event that such adherence is not required, whether and to 
what extent the non-communication of any data or any description 
of data is required for the purpose of safeguarding national 
security. 


4. Now, therefore, I, the Right Hon Jeremy Hunt MP, being a Minister of the Crown 
who is a member of the Cabinet, in exercise of the powers conferred by the said 
section 27(1) do issue this certificate and certify that any personal data that is 
processed by an organisation as described in Column 1 in the table below are and 
shall continue to be required to be exempt from those provisions of the Act that are 
set out in Column. 2. 


(a) for, on behalf of, at the request i. GDPR Article 5(1)(a), so far as it requires 
of or with the aid or assistance processing to be fair and transparent 
of GCHQ or 


GDPR Article 5(1)(b) and(d) 


(b) where such processing is a , 
necessary to facilitate the . _GDPR Article 10 


proper discharge of the , 
functions of GCHQ described in GDPR Articles 13-19 


section 3 of the Intelligence - 
Services Act 1994 . GDPR Articles 21-22 


GDPR Article 33-34 
GDPR Articles 44-49 

GDPR Article 57(1)(a) and (h) 

GDPR Article 58(1)(a), (b), (e), (f); Article 
58(2)(c), (e), (f), (g), Qj); Article 58(3)(b); 
Article 58(5) 


Data Protection Act section 115 (3) and 
(5)-(8) 


Data Protection Act section 119 
Data Protection Act section 146 
Data Protection Act sections 148-151 
Data Protection Act section 154 
Data Protection Act sections 170-173 


Data Protection Act Schedule 15 


Expires 


ANNEX A 


Provision 


GDPR Article 5(1)(a), so far as it 
requires processing to be fair and 
transparent 


GDPR Article 5(1)(b)-(f) and 5(2) 
GDPR Article 7 

GDPR Article 8 

GDPR Article 10 

GDPR Article 11 


GDPR Articles 12-22 
GDPR Articles 33-34 


GDPR Articles 44-50 


GDPR Article 57(1)(a) and (h) 


GDPR Article 58 


Applied GDPR Articles 77-82 


Data Protection Act Section 115(3) and 
115(8) 


Data Protection Act Section 115 (9) , so 
far as it relates to Article 58(2)(i) of the 
applied GDPR; 


Data Protection Act Section 119 
Data Protection Act Sections 142-154 


Data Protection Act Sections 170-173 
Data Protection Act Section 187 
Data Protection Act Schedule 15 


Notes 


Data protection principles 


Data protection principles 
Conditions for consent 
Child’s consent 

Criminal convictions data 


Processing which does not require 
identification 


Rights of Data Subjects, Chapter III 


Communication of personal data 
breaches 


Transfers of personal data to third 
countries or international organisations, 
Chapter V 


Commissioner's duties to monitor and 
enforce the applied GDPR and to 
conduct investigations 


Investigative, corrective, authorisation 
and advisory powers of Commissioner 


Remedies, liabilities and penalties 


General functions of the Commissioner 


General functions of the Commissioner 


Inspection in accordance with 
international obligations 


Commissioner’s notices and powers of 
entry and inspection 


Offences relating to personal data 
Representation of data subjects 
Powers of entry and inspection 


